| From: | Josh Berkus <josh(at)agliodbs(dot)com> |
|---|---|
| To: | pgsql-hackers(at)postgresql(dot)org |
| Cc: | "Greg Sabino Mullane" <greg(at)turnstep(dot)com> |
| Subject: | Re: Including PL/PgSQL by default |
| Date: | 2008-02-21 17:54:14 |
| Message-ID: | 200802210954.15159.josh@agliodbs.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
Tom,
> > I grow weary of repeating this: it's not about resource consumption, nor
> > about potential security holes in plpgsql itself. It's about handing
> > attackers the capability to further exploit *other* security holes.
>
> Well, without specific examples, I'm not sure I understand what plpgsql
> buys you that you could not do other ways (e.g. generate_series() for
> looping).
I have to agree with Greg here: I don't see what significant new security
issues PL/pgSQL opens up. Certainly including PL/perl or PL/sh would, but
PL/pgSQL?
One of the reasons we advertise to use PostgreSQL is our ability to do
sophisticated backend database things, which other OSDBs don't have.
I agree that there should be some way to disable PL/pgSQL for "locked down"
installations, but I think the majority of users want it to just be there.
--
Josh Berkus
PostgreSQL @ Sun
San Francisco
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Joshua D. Drake | 2008-02-21 17:55:35 | Re: Including PL/PgSQL by default |
| Previous Message | Mark Woodward | 2008-02-21 17:53:08 | Re: Permanent settings |